ninjamiefandomcom-20200214-history
Monitoring Traffic
incomplete **SYN or SYN-SYNACK-ACK is seen but no data packets are seen. In other words, the traffic you are seeing is not really an application. EX: if a client sends a sever a SYN and the firewall creates a session for that SYN, but the server never sends a SYNACK in response back to the client, then that session would be incomplete. *''insufficient-data'' **The firewall didn't see the complete TCP 3-way handshake, OR **There were no data packets exchanged after the handshake Means that were was not enough data to identify the application. For EX: if the 3-way handshake completed and there was 1 data packet after the handshake but that 1 data packet was not enough to match any of our signatures. *''unknown-tcp'' **Firewall was unable to identify the TCP application after the 3-way handshake was complete and data was received. *''unknown-udp '' **Firewall was unable to identify the UDP application after the 3-way handshake was complete and data was received. *''unknown-p2p'' **Application matches generic p2p heuristics For these unknown applications, customer must submit pcaps of the App to Palo Alto Support to create a new signature OR you will need to configure the firewall to identify this application: #create a new application (instructions below) #create an application override policy #Make sure there is a security policy that permits the traffic. *''not-applicable'' **session is blocked by the firewall The firewall has received data that we are discarding because the port/service that the traffic is coming in on is NOT allowed OR there is no rule/policy allowing that port/service. EX: if there was only 1 rule on the PAN and that rule allowed the application of web-browsing only on port/service 80, and traffic is sent to the PAN on any other port/service other than 80, then the traffic will be discarded/dropped. 'New Application' 1. Objects -> Applications -> New *Specify the application name and properties *On Advance tab, enter the port number that uniquely identifies the application 2. Policies -> Application Override -> Add rule *Specify port number *Configure application to be the on you just created. 3. Policies -> Security -> Add Rule *configure the zones and addresses *Select the new app in the Application column *Select Application default for the service *''Allow or ''deny the action and commit. Application override policies are checked before security policies. The application override will be used in place of our App-ID engine to identify the traffic. Security profiles CANNOT be assigned to Application Override policies. Application override policies bypass the signature Match Engine entirely, so Content-ID cannot be performed on this traffic. Application override should be used with internal traffic only. 'Logs:' Monitor -> Logs -> *''TRAFFIC ''= Displays an entry for the start and end of each session. **includes: date and time, source and destination zones, addresses, and ports, the application name, the security rule name applied to the flow, the rule action (allow, deny, or drop), the ingress and egress interface, and the number of bytes. *''THREAT'' = Displays an entry for each security alarm generated by the firewall. **''Type'' column indicates the type of threat (such as virus or spyware). **''Name'' column is the threat description or URL **''Category'' column is the threat category such as Keylogger or URL category. *''URL FILTERING'' = Displays logs for URL filters, which block access to specific web sites and web site categories or generate an alert when a prescribed web site is accessed. *''WILDFIRE'' = Displays logs for files that are uploaded and analzyed by the WildFire server, log data is sent back to the device after analysis, along with results. **Subscription is required, otherwise you can use the WildFire Portal to view log information. *''DATA FILTERING'' = Displays logs for the security policies thta help prevent sensitive information such as credit cards or social security numbers from leaving the area protected by the firewall. **If password protection is configured, the system prompts you only once per session. *''HIP MATCH'' = Displays information about security policies that apply to GlobalProtect cients. *''CONFIGURATION'' = Displays an entry for each configuration change. **includes: Date and time, the administrator user name, the IP address from where the change was made, the type of client (Web or CLI), the type of command executed (commit, edit, delete, or set), whether the command succeeded or failed, the configuration path, and the values before and after the change, and a sequence number. *''SYSTEM'' = Displays the entry for each system event. Each entry includes the date and time, the event severity, and an event description. *''ALARMS'' = Records detailed information on alarms that are generated by the system. 'Action Field' 'ThreatID Field' 'Troubleshooting:' Issue While trying to access gmail.com and me.com from a MAC Mail client , the sessions time out before access is granted. They are both using SSL and Secure IMAP on Port 993 and the firewall is configured to allow IMAP and SSL, but the connection is not successful and the monitor logs show several "incomplete" messages. Solution Check the Service port (Policies > Security Rules). If set to application-default this means applications are allowed or denied only on the default ports defined by Palo Alto Networks. If an application is using a non-standard port, it won't be allowed by the firewall. Changing the setting to any for the specific application should resolve the issue.